SONARJAVA-6296 Configure Renovate

[renovate]

Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.

🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.

📚 See our Reading List for relevant documentation you may be interested in reading.

🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to renovate.json in this branch. Renovate will update the Pull Request description the next time it runs.

---

Detected Package Files

• .github/actions/orchestrator-cache/action.yml (github-actions)
• .github/actions/upload-actual/action.yml (github-actions)
• .github/workflows/PrepareNextIteration.yml (github-actions)
• .github/workflows/PullRequestClosed.yml (github-actions)
• .github/workflows/PullRequestCreated.yml (github-actions)
• .github/workflows/ReleasabilityCheck.yml (github-actions)
• .github/workflows/RequestReview.yml (github-actions)
• .github/workflows/SubmitReview.yml (github-actions)
• .github/workflows/ToggleLockBranch.yml (github-actions)
• .github/workflows/UpdateRuleMetadata.yml (github-actions)
• .github/workflows/automated-release.yml (github-actions)
• .github/workflows/build.yml (github-actions)
• .github/workflows/cleanup-cache.yml (github-actions)
• .github/workflows/dogfood.yml (github-actions)
• .github/workflows/mark-prs-stale.yml (github-actions)
• .github/workflows/pr-cleanup.yml (github-actions)
• .github/workflows/releasability.yaml (github-actions)
• .github/workflows/release.yml (github-actions)
• .github/workflows/unified-dogfooding.yml (github-actions)
• check-list/pom.xml (maven)
• external-reports/pom.xml (maven)
• its/autoscan/pom.xml (maven)
• its/plugin/plugins/java-extension-plugin/pom.xml (maven)
• its/plugin/plugins/pom.xml (maven)
• its/plugin/pom.xml (maven)
• its/plugin/tests/pom.xml (maven)
• its/pom.xml (maven)
• its/ruling/pom.xml (maven)
• its/vibebot/pom.xml (maven)
• java-checks-aws/pom.xml (maven)
• java-checks-common/pom.xml (maven)
• java-checks-testkit/pom.xml (maven)
• java-checks/pom.xml (maven)
• java-frontend/pom.xml (maven)
• java-jsp/pom.xml (maven)
• java-surefire/pom.xml (maven)
• pom.xml (maven)
• sonar-java-plugin/pom.xml (maven)
• .github/workflows/PrepareNextIteration.yml (regex)
• .github/workflows/build.yml (regex)
• .github/workflows/unified-dogfooding.yml (regex)

Configuration Summary

Based on the default config's presets, Renovate will:

• Start dependency updates only once this onboarding PR is merged
• Hopefully safe environment variables to allow users to configure.
• Show all Merge Confidence badges for pull requests.
• Enable Renovate Dependency Dashboard creation.
• Use semantic commit type fix for dependencies and chore for all others if semantic commits are in use.
• Ignore node_modules, bower_components, vendor and various test/tests (except for nuget) directories.
• Group known monorepo packages together.
• Use curated list of recommended non-monorepo package groupings.
• Show only the Age and Confidence Merge Confidence badges for pull requests.
• Apply crowd-sourced package replacement rules.
• Apply crowd-sourced workarounds for known problems with packages.
• Ensure that every dependency pinned by digest and sourced from Forgejo contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from Gitea contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitHub.com and Github enterprise contains a link to the commit-to-commit diff
• Ensure that every dependency pinned by digest and sourced from GitLab.com contains a link to the commit-to-commit diff
• Correctly link to the source code for golang.org/x packages
• Link to pkg.go.dev/... for golang.org/x packages' title
• Evaluate schedules according to timezone CET.
• Remove hourly and concurrent rate limits.
• Run Renovate on following schedule: before 6am on Monday

---

What to Expect

With your current configuration, Renovate will create 9 Pull Requests:

Update dependency org.springframework:spring-webmvc to v6 [SECURITY]

• Branch name: renovate/maven-org.springframework-spring-webmvc-vulnerability
• Merge into: master
• Upgrade org.springframework:spring-webmvc to 6.1.14

Update GitHub Actions dependencies

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/github-actions-dependencies
• Merge into: master
• Upgrade actions/checkout to 93cb6efe18208431cddfb8368fd83d5badbf9bfd
• Pin actions/checkout to 34e114876b0b11c390a56381ad16ebd13914f8d5
• Pin actions/stale to 5bef64f19d7facfb25b37b414482c7164d639639
• Pin actions/upload-artifact to ea165f8d65b6e75b540449e92b4886f43607fa02
• Upgrade slackapi/slack-github-action to fcfb566f8b0aab22203f066d80ca1d7e4b5d05b3

Update Analyzer Commons to v2.22.0.4796

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/analyzer-commons
• Merge into: master
• Upgrade org.sonarsource.analyzer-commons:sonar-performance-measure to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-regex-parsing to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-analyzer-test-commons to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-xml-parsing to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-analyzer-recognizers to 2.22.0.4796
• Upgrade org.sonarsource.analyzer-commons:sonar-analyzer-commons to 2.22.0.4796

Update Maven dependencies

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/maven-dependencies
• Merge into: master
• Upgrade org.apache.maven.plugins:maven-resources-plugin to 3.5.0
• Upgrade com.google.code.gson:gson to 2.14.0
• Upgrade commons-io:commons-io to 2.22.0
• Upgrade org.springframework:spring-expression to 6.2.18
• Upgrade org.junit:junit-bom to 5.14.4
• Upgrade com.google.guava:guava to 33.6.0-jre
• Upgrade org.apache.maven.plugins:maven-shade-plugin to 3.6.2
• Upgrade org.slf4j:slf4j-api to 1.7.36
• Upgrade org.slf4j:slf4j-simple to 1.7.36
• Upgrade org.mockito:mockito-core to 5.23.0
• Upgrade org.mockito:mockito-junit-jupiter to 5.23.0
• Upgrade org.jacoco:org.jacoco.agent to 0.8.14
• Upgrade org.apache.struts:struts-core to 1.3.10
• Upgrade commons-collections:commons-collections to 3.2.2
• Upgrade com.googlecode.maven-download-plugin:download-maven-plugin to 1.13.0
• Upgrade org.codehaus.mojo:build-helper-maven-plugin to 3.6.1
• Upgrade org.codehaus.mojo:exec-maven-plugin to 3.6.3
• Upgrade org.apache.tomcat.embed:tomcat-embed-jasper to 9.0.117
• Upgrade org.apache.maven.plugins:maven-compiler-plugin to 3.15.0

Update Sonar dependencies

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/sonar-dependencies
• Merge into: master
• Upgrade org.sonarsource.sonarlint.core:sonarlint-core to 10.47.0.84936
• Upgrade org.sonarsource.sonarlint.core:sonarlint-plugin-api to 10.47.0.84936
• Upgrade org.sonarsource.sonarqube:sonar-testing-harness to 25.12.0.117093
• Upgrade org.sonarsource.sonarqube:sonar-plugin-api-impl to 25.12.0.117093
• Upgrade org.sonarsource.sonarqube:sonar-ws to 25.12.0.117093

Update SSLR to v1.25.1.3886

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/sslr
• Merge into: master
• Upgrade org.sonarsource.sslr:sslr-testing-harness to 1.25.1.3886
• Upgrade org.sonarsource.sslr:sslr-core to 1.25.1.3886

Update GitHub Actions dependencies (major)

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/major-github-actions-dependencies
• Merge into: master
• Upgrade actions/checkout to de0fac2e4500dabe0009e67214ff5f5447ce83dd
• Upgrade actions/stale to b5d41d4e1d5dceea10e7104786b73624c18a190f
• Upgrade actions/upload-artifact to 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
• Upgrade slackapi/slack-github-action to 03ea5433c137af7c0495bc0cad1af10403fc800c

Update Maven dependencies (major)

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/major-maven-dependencies
• Merge into: master
• Upgrade org.springframework:spring-expression to 7.0.7
• Upgrade org.junit:junit-bom to 6.0.3
• Upgrade javax:javaee-web-api to 8.0.1
• Upgrade org.apache.tomcat.embed:tomcat-embed-jasper to 11.0.21

Update Sonar dependencies (major)

• Schedule: ["before 6am on Monday"]
• Branch name: renovate/major-sonar-dependencies
• Merge into: master
• Upgrade org.sonarsource.sonarlint.core:sonarlint-core to 11.2.2.85453
• Upgrade org.sonarsource.sonarlint.core:sonarlint-plugin-api to 11.2.2.85453
• Upgrade org.sonarsource.sonarqube:sonar-testing-harness to 26.4.0.121862
• Upgrade org.sonarsource.sonarqube:sonar-plugin-api-impl to 26.4.0.121862
• Upgrade org.sonarsource.sonarqube:sonar-ws to 26.4.0.121862

---

❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.

---

This PR was generated by Mend Renovate. View the repository job log.

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: SONARJAVA-6295

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR adds the Renovate configuration file (renovate.json5) for the sonar-java repository. It extends SonarSource's standard JVM squad configuration and applies two key customizations:

1. Path exclusions — skips dependency updates for documentation, test fixtures, and test resources that are intentionally pinned at specific versions
2. Custom package rules — groups SSLR packages together and disables major version updates for SLF4J (since those changes can create incompatibilities the team prefers to manage manually)

Once merged, Renovate will begin creating dependency update PRs on a schedule (before 6am Monday) for the Maven and GitHub Actions dependencies detected across the repository.

What reviewers should know

For reviewers:

• Single file change — the only modification is the new renovate.json5 configuration file, which is straightforward to review
• Verify the ignored paths — check that the listed paths in ignorePaths correctly exclude test fixtures and documentation that shouldn't receive automated updates
• Review package rules — confirm the SLF4J rule (disabling major version updates) aligns with the team's maintenance strategy; same for the SSLR grouping
• Configuration inheritance — the config extends github>SonarSource/renovate-config:quality-jvm-squad, so familiarity with that base config helps understand what defaults are in place
• Expected outcome — the author's description lists 9 initial PRs that will be created; this is normal for onboarding and gives you a preview of what to expect after merge

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[sonar-review-alpha]

One real bug in the SSLR package rule that will cause silent misconfiguration — the grouping will never apply.

🗣️ Give feedback

[sonar-review-alpha]

The pattern org.sonarsource.sslr* will not match the actual Maven artifacts in this repo.

In Renovate, Maven package names are represented as groupId:artifactId (e.g. org.sonarsource.sslr:sslr-core, org.sonarsource.sslr:sslr-testing-harness). A bare * does not span the : separator — the SLF4J rule in this same file proves this: it uses org.slf4j:** with an explicit :** to match across the colon. Without that, the SSLR grouping rule will silently never match anything, and SSLR updates will arrive as individual PRs rather than grouped.

Suggested change

	"org.sonarsource.sslr*"
	"org.sonarsource.sslr:**"

• Mark as noise

[rombirli]

LGTM